Vulnerabilities in Formidable Forms Plugin Exposes Wordpress Websites

Researchers have discovered several critical vulnerabilities in the Formidable Forms plugin which exposed WordPress websites to attack.Formidable plugins are used to create contact pages, polls, surveys, other forms and it have more than 200,000 active in

Formidable plugins are used to create contact pages, polls, surveys, other forms and it have more than 200,000 active installs. The vulnerabilities were discovered by Jouko Pynnonen, a researcher in a Finland-based company called Klikki Oy. Jouko Pynnonen said that the most severe flaw discovered was a blind SQL injection that can be exploited to enumerate database and tables on the systems and retrieve their contents which includes user credentials, data submitted to the website through Forms. Another flaw is which exposes the data submitted by the users through the forms created with formidable plugins. The researcher said that both the vulnerabilities are because of the way how shortcodes were implemented by the plugins and flaws affect both the paid and free service of the plugin. Here the attacker can exploit the vulnerabilities in stored XSS to execute the arbitrary JavaScript code in the context of an administrator’s browsing session and can inject malicious code through forms created with the formidable plugins. “In this way, an unauthenticated attacker can inject arbitrary JavaScript in a Formidable form entry to be executed whenever an administrator views the form in WordPress Dashboard. Server-side code execution can be achieved under default configuration e.g., via the plugin or theme editor AJAX functions.” If the ithemes sync plugin is active in the system along with the formidable plugin, the attacker can use the SQL injection flaw to retrieve user’s authentication key in the database said Pynnonen. Pynnonen said that he discovered the vulnerabilities as part of bug bounty program conducted by the tech-based company in Singapore which offered rewards up to $10,000. He received $4500 for the SQL injection vulnerability and received around $200 for other flaws. Formidable forms fixed the flaws in the  2.05.02 and 2.05.03 versions released by the company and users are advised to update immediately.